[CentOS] Fwd: Heads up: OpenSSH users

Thu Jan 14 18:49:57 UTC 2016
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Thu, January 14, 2016 11:46 am, m.roth at 5-cent.us wrote:
> Timo Schöler wrote:
>> Hash: SHA256
>> On 01/14/2016 05:34 PM, m.roth at 5-cent.us wrote:
>>> Michael H wrote:
>>>> Probably worth a read...
>>>> http://www.openssh.com/txt/release-7.1p2
>>>>> Important SSH patch coming soon.  For now, everyone on all
>>>>> operating systems, please do the following:
>>>>> Add undocumented "UseRoaming no" to ssh_config or use
>>>>> "-oUseRoaming=no" to prevent upcoming #openssh client bug
>>>>> CVE-2016-0777. More later.
>>>> echo "UseRoaming no" >> /etc/ssh/ssh_config
>>> Please clarify - will the update add *Roam* to
>>> /etc/ssh/ssh_config?
>> It will fix the bug.
>>> I've just checked on two systems that are CentOS 7, a server, and
>>> a workstation that I literally built yesterday, and grep -i on
>>> both reports "no, not here".
>> Yes, as it's undocumented, but enabled since about 2010. Even OpenBSD
>> 5.9 (pre-release, it's going to be released on May 1st, 2016) does not
>> mention it.
> Undocumented? You're saying that there's a feature that is configurable
> via the configuration file, and there's no mention of it at all in the
> configuration file, not even the default?
> That is more than slightly unacceptable.

More than agree! I was highly respecting OpenBSD project, especially for
their openssh. After scandal with OpenBSD IPSEC stack backdoor
accusations, my respect faded grossly, and I felt extremely happy my
choice of system for servers fell on FreeBSD, not OpenBSD (for some
independent reason)...


Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247